diff options
Diffstat (limited to 'meta-oe/recipes-support/gd/gd/CVE-2016-6906-2.patch')
| -rw-r--r-- | meta-oe/recipes-support/gd/gd/CVE-2016-6906-2.patch | 135 |
1 files changed, 0 insertions, 135 deletions
diff --git a/meta-oe/recipes-support/gd/gd/CVE-2016-6906-2.patch b/meta-oe/recipes-support/gd/gd/CVE-2016-6906-2.patch deleted file mode 100644 index 8b6de97112..0000000000 --- a/meta-oe/recipes-support/gd/gd/CVE-2016-6906-2.patch +++ /dev/null @@ -1,135 +0,0 @@ -From 58b6dde319c301b0eae27d12e2a659e067d80558 Mon Sep 17 00:00:00 2001 -From: "Christoph M. Becker" <cmbecker69@gmx.de> -Date: Tue, 16 Aug 2016 16:26:19 +0200 -Subject: [PATCH] Fix OOB reads of the TGA decompression buffer - -It is possible to craft TGA files which will overflow the decompression -buffer, but not the image's bitmap. Therefore we also have to check for -potential decompression buffer overflows. - -This issue had been reported by Ibrahim El-Sayed to security@libgd.org; -a modified case exposing an off-by-one error of the first patch had been -provided by Konrad Beckmann. - -This commit is an amendment to commit fb0e0cce, so we use CVE-2016-6906 -as well. - -Upstream-Status: Backport -CVE: CVE-2016-6906 - -Signed-off-by: Catalin Enache <catalin.enache@windriver.com> ---- - src/gd_tga.c | 8 +++++++- - tests/tga/Makemodule.am | 3 ++- - tests/tga/heap_overflow.c | 16 ++++++++++++---- - tests/tga/heap_overflow_1.tga | Bin 0 -> 605 bytes - tests/tga/heap_overflow_2.tga | Bin 0 -> 8746 bytes - 5 files changed, 21 insertions(+), 6 deletions(-) - create mode 100644 tests/tga/heap_overflow_1.tga - create mode 100644 tests/tga/heap_overflow_2.tga - -diff --git a/src/gd_tga.c b/src/gd_tga.c -index 68e4b17..f80f0b1 100644 ---- a/src/gd_tga.c -+++ b/src/gd_tga.c -@@ -295,7 +295,13 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga ) - buffer_caret = 0; - - while( bitmap_caret < image_block_size ) { -- -+ -+ if (buffer_caret + pixel_block_size > rle_size) { -+ gdFree( decompression_buffer ); -+ gdFree( conversion_buffer ); -+ return -1; -+ } -+ - if ((decompression_buffer[buffer_caret] & TGA_RLE_FLAG) == TGA_RLE_FLAG) { - encoded_pixels = ( ( decompression_buffer[ buffer_caret ] & ~TGA_RLE_FLAG ) + 1 ); - buffer_caret++; -diff --git a/tests/tga/Makemodule.am b/tests/tga/Makemodule.am -index 916d707..ab08dbf 100644 ---- a/tests/tga/Makemodule.am -+++ b/tests/tga/Makemodule.am -@@ -15,7 +15,8 @@ EXTRA_DIST += \ - tga/bug00247a.tga \ - tga/bug00248.tga \ - tga/bug00248a.tga \ -- tga/heap_overflow.tga \ -+ tga/heap_overflow_1.tga \ -+ tga/heap_overflow_2.tga \ - tga/tga_read_rgb.png \ - tga/tga_read_rgb.tga \ - tga/tga_read_rgb_rle.tga -diff --git a/tests/tga/heap_overflow.c b/tests/tga/heap_overflow.c -index 0e9a2d0..ddd4b63 100644 ---- a/tests/tga/heap_overflow.c -+++ b/tests/tga/heap_overflow.c -@@ -1,5 +1,5 @@ - /** -- * Test that the crafted TGA file doesn't trigger OOB reads. -+ * Test that crafted TGA files don't trigger OOB reads. - */ - - -@@ -7,21 +7,29 @@ - #include "gdtest.h" - - -+static void check_file(char *basename); - static size_t read_test_file(char **buffer, char *basename); - - - int main() - { -+ check_file("heap_overflow_1.tga"); -+ check_file("heap_overflow_2.tga"); -+ -+ return gdNumFailures(); -+} -+ -+ -+static void check_file(char *basename) -+{ - gdImagePtr im; - char *buffer; - size_t size; - -- size = read_test_file(&buffer, "heap_overflow.tga"); -+ size = read_test_file(&buffer, basename); - im = gdImageCreateFromTgaPtr(size, (void *) buffer); - gdTestAssert(im == NULL); - free(buffer); -- -- return gdNumFailures(); - } - - -diff --git a/tests/tga/heap_overflow_1.tga b/tests/tga/heap_overflow_1.tga -new file mode 100644 -index 0000000000000000000000000000000000000000..e9bc0ecb2a847ac6edba92dd0ff61167b49002cd -GIT binary patch -literal 605 -zcmZQz;9`IQ9tIu;g&7<$F3o7Yg1qzyh6tefy9wZAs2d<Uh*yuz=?XwW4Qvuv#g2nS -zp93+mT0rVR>T&8(2TGy=f_l)@gSap~$FayUFu(!|SyJIFga^{8fGj~vwq8kkVgvv> -Cavop+ - -literal 0 -HcmV?d00001 - -diff --git a/tests/tga/heap_overflow_2.tga b/tests/tga/heap_overflow_2.tga -new file mode 100644 -index 0000000000000000000000000000000000000000..2b681f2df8941d6823aa761be0a7fa3c02c92cbf -GIT binary patch -literal 8746 -zcmeIxF$#b%6a>*<djij4?cuz+Vi5?!RIY)@*eDAQ@`zPSwQE1NTI<YQEqdQG#s5@h -zwDFtAoIjm)CIQa|$z*q(vz}DbnPjrN&RI{Y=}a=&UFWPP)joCZ<31}ey8!(}FZZ71 -zWop>#e)AY=opmMw&j!h4cb&7IRMVMcvb)Y%PpaumGTB|{tS8lUCYkK6bJmk;IzMDC -D4PYIN - -literal 0 -HcmV?d00001 - --- -2.10.2 - |